from the the-last-time-we-reformed-our-privacy-laws... dept

For many, many years, we've been talking about the need for ECPA reform. ECPA -- the Electronic Communications Privacy Act -- is an incredibly outdated piece of legislation from the 1980s that governs law enforcement's ability to access email and other electronic communications. This was the era before the internet was anywhere close to the mainstream (though it did exist). Among the various weird parts of the law, it says that any communication that is over 180 days old and still on a server is considered "abandoned" so that the government can access it without a warrant. Think about that in this era when you keep all your communications online. It was written when lawmakers thought people would "download" the messages off a server. That's just the most noteworthy problem -- there are all sorts of different definitions based on messages that have been opened or not opened and other oddities as well, almost none of which make sense.

Last year we noted that more than half of the House was co-sponsoring a bill put forth by Reps. Kevin Yoder and Jared Polis to reform ECPA in a big way. But even with so many supporting the law, it failed to move. A big hurdle? Both the IRS and SEC (note: not your standard law enforcement agencies) like the fact that they can use ECPA to snoop through electronic communications (without a warrant -- which those agencies can't get on their own anyway).

Yoder and Polis are back again with another attempt, and it's matched by a similar legislation in the Senate from Senators Patrick Leahy and Mike Lee. To get attention for the bill, Yoder, Polis and some other supporters took to Twitter in a bit of a meme fest, highlighting some historical facts to demonstrate just how long it's been since ECPA became law. It's worth scrolling through them all (though, there are a lot), because some are pretty funny:

At this point, it's a complete travesty that such a bill hasn't become law. People have explained the need for it for well over a decade, and more than half of Congress was signed on to co-sponsor it in the last Congressional term. Already this new bill has 228 additional co-sponsors in the House and another 6 co-sponsors in the Senate. The IRS and SEC's objections are simply ridiculous. Having more convenient access to someone's emails is no excuse for not better protecting the privacy of our online communications.

Of course, this isn't the only effort going on to protect privacy. Reps. Zoe Lofgren, Ted Poe and Suzan DelBene have also introduced a bill to update ECPA. It's pretty clear that Congress knows that the law needs to be updated, and it's time to get past whatever objections there are and actually start protecting our privacy.

from the that's-not-how-this-works dept

A very stupid story broke out over the weekend and got some buzz after some people read way too much into some legal maneuvering. As you may recall, back in April a court ruled that Microsoft had to hand over email data stored in Ireland based on a warrant issued in the US under the (incredibly outdated) Electronic Communications Privacy Act (ECPA). Microsoft, quite reasonably, fought back, pointing out that a warrant only applies within the US and not to foreign countries. The DOJ (and the original judge) claimed that an ECPA warrant isn't really like a warrant at all, but rather a "hybrid warrant/subpoena." But, Microsoft (rightly) points out that this is the DOJ wanting the best of both worlds -- while ignoring the protections of both. Here was the crux of Microsoft's argument:

The Government's interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a "court order," but required a warrant to obtain a person's most sensitive and constitutionally protected information -- the contents of emails less than 6 months old.

Unfortunately, as we noted at the end of July, the judge in the case, Loretta Preska, sided with the DOJ.

On Friday, Judge Preska did what was basically a procedural move. When she had made the original ruling, she had put a stay on the ruling, fully expecting Microsoft to appeal. This is fairly standard procedure. When a district court judge knows a ruling is likely to be appealed the judge will frequently "stay" the ruling pending the appeal. The DOJ claimed that this was a procedural error and that the particular order, for a whole host of boring legal reasons, is not an "appealable order" and that the stay is inappropriate for that reason. Everyone involved in the case -- the Judge, Microsoft and the DOJ -- knows that it's going to go to an appeal. There's just a very, very minor debate over the correct legal process to get it to appeal. Judge Preska agreed that the original order probably is not appealable, and thus the stay order makes no sense, since it was only pending the appeal. Thus, to speed things along, she lifted the stay, noting quite clearly that this was to help along the appeal process:

Both parties share the common goal of permitting the Court of Appeals to hear this case as soon as possible. Their disagreement concerns the correct path to that goal. In order words, the parties agree on the destination but the route to get there is the subject of hot dispute.

Basically, this was a very minor move to push things onto the proper legal track to get this case before the appeals court. Because the original order isn't technically appealable, the stay didn't make any sense, so the Judge removed it, with everyone knowing that Microsoft won't hand over the info, leading the Judge to issue a different ruling that can be appealed. I saw the news on Friday and realized it wasn't worth writing about, because it's basically nothing.

However, a few sites appear to have totally misread this into being a big deal. If you don't read carefully, seeing that a judge lifted a stay suggests that Microsoft is being forced to hand over the info. But anyone who actually read any of the details (including the decision and/or the Reuters report that broke the news) should have known that wasn't actually the case. Microsoft then said the most obvious thing in the world: that it wasn't handing over the info, because it hasn't done that all along and this is what it needs to do to get the case to appeal. But a bunch of sites misread the whole thing as if Microsoft was somehow taking a new stand, rather than just procedurally moving things forward. A site called WindowsITPro wrote up that Microsoft was now "defying" a court order and this somehow proved it was a heroic company, fighting for its customers:

Despite a federal court order directing Microsoft to turn overseas-held email data to federal authorities, the software giant said Friday it will continue to withhold that information as it waits for the case to wind through the appeals process. The judge has now ordered both Microsoft and federal prosecutors to advise her how to proceed by next Friday, September 5.

Let there be no doubt that Microsoft's actions in this controversial case are customer-centric. The firm isn't just standing up to the US government on moral principles. It's now defying a federal court order.

They did this, even though in the very next paragraph the Microsoft statement itself points out that this is nothing more than a procedural issue. Unfortunately, sites like Slashdot also picked up on the WindowsITPro story and repeated the misleading headline.

Yes, Microsoft is trying to protect its customers' email data (held in Ireland) in this case. And yes, it's an important case. But Microsoft (and a variety of other tech companies that filed amicus briefs in support of Microsoft's position) took that stand months ago. What happened on Friday was a minor procedural effort to move the case along, and didn't represent any big new "heroic" move by Microsoft to "defy" a court order. Nothing to see here, move on. The appeals court is where this case will actually get interesting.

from the make-it-so dept

For years, we've written about the third party doctrine and its troubling implications for the 4th Amendment and your privacy -- especially in the digital era. If you're unfamiliar with it, the third party doctrine is the concept used by law enforcement (and, tragically, the courts) to say that you have no expectation of privacy or 4th Amendment rights in information you've given to a third party. The origins of this argument are not completely crazy, because there is a legitimate claim to the idea that if I entrust you with some private information, and you decide to disclose it, that my 4th Amendment rights haven't been violated. But that assumes a very different world. In today's digital world -- especially with cloud computing -- we "entrust" all sorts of information to third parties even though we still think of and treat that information like it's our own personal effects. These aren't cases in which I'm handing over a collection of journals to my neighbor to hold onto. Online services are treated as our own content -- which we can access, update and modify at any time from any device.

While the Supreme Court's recent decision in the Riley/Wurie cases suggests that it is becoming increasingly uncomfortable with law enforcement twisting old concepts onto new technologies to eviscerate privacy, the third party doctrine technically still stands -- and there has been little real discussion of it in Congress.

So it's good to see that Senator Ron Wyden is actually speaking out about why the third party doctrine needs to go. The speech is a good one, talking about oppressive governments and surveillance, and the rise of technology -- and how our laws have not kept pace when it comes to protecting our privacy against government intrusion. Then he digs in on the third party doctrine, noting that it was established by "judges who did not fully understand 20th Century technology, much less anticipate the technology we have today" and that it makes little sense considering the way we use technology today:

Some will still argue that by sharing data freely with Facebook, Google, Mint, Uber, Twitter, Fitbit, or
Instagram, Americans are choosing to make that data public. But that is simply not the case. I might not
have any expectation of privacy when I post a handsome new profile picture on Facebook, or when I send
out a tweet to tell people I’ll be at the Tech Northwest conference. But when I send an email to my wife,
or store a document in the cloud so I can review it later, my service provider and I have an agreement that
my information will stay private. Neither of us have invited the government to have a peek. Basically, I
think sharing this information with Google is like putting property in a safety deposit box, but the
government thinks I’m posting it on a billboard out on I-5.

Citizens have agreed to a contract with Google or Mint that keeps their email or financial data private. In
many cases these companies don’t even know what information they’re holding for you. Making
information available to a service provider for a limited business purpose - so that they can give you a
new app, or provide targeted ads, or do any other kind of business with you - is simply not the same as
broadcasting that information to the public. In the view of the law this data should be as secure to your
person as if it were sitting in a locked filing cabinet in your home office.

So how about fixing it? Well, he says, it needs to start by reforming the laws that cover the intelligence community, preventing them from bulk collection of the data you've handed to third parties.

I believe that any serious effort to reform this law needs to end the bulk collection of Americans’ personal
information, starting with their phone records. I have been challenging this program for years on the
grounds that isn’t just harmless old metadata. Furthermore, I believe that Congress needs to reform the
Foreign Intelligence Surveillance Court, to make it more transparent and to include an advocate for the
American people. Additionally, there needs to be much greater transparency from intelligence agencies
about the scale and scope of domestic surveillance activities, and private companies should be given the
ability to disclose much more information about requests they receive from the government. Most of all,
Congress must close the loophole that intelligence agencies are currently using to read a significant
number of Americans’ communications without a warrant.

But that's just the start. He calls out Executive Order 12333, which we've been discussing lately. That's the Ronald Reagan-signed executive order that lets the NSA collect whatever the hell it wants outside of the US. As was recently revealed, this program, which has no Congressional or Judicial oversight, is really the core program that the NSA uses. All the domestic spying under Section 215 and 702? That's just to "fill in the gaps." Wyden thinks its time that EO 12333 got reviewed and reformed:

The next step will be to seriously examine collection that is done overseas. When
the Foreign Intelligence Surveillance Act was written in the late 1970s, it was written to only apply to
collection done inside the United States. But that was back in an era when each country essentially had
its own separate communications infrastructure.

Now those separate systems have been replaced by an integrated global communications network, in
which calls and emails within one country might be routed through multiple different countries. When
you combine that shift with new technology that makes it much easier to obtain large amounts of data, it
no longer makes sense to assume that collection done overseas will not sweep up the communications of
large numbers of law-abiding Americans.

This means that the rules that govern collection overseas will need to be substantially revised. These are
governed by something called Executive Order twelve-triple-three, which is more than 30 years old and
predates this sea-change in global communications. I was encouraged a few weeks ago when the Senate
Intelligence Committee recognized this fact, and voted to advance a bill that would begin to establish
some firmer rules in this area.

Finally, he talks about the need for ECPA reform -- another thing we've been discussing for years. ECPA is the 1986 Electronic Communications Privacy Act which is so woefully out-of-date, it's not even funny. It's the one that assumes if any communication is sitting on a server for more than 180 days, then it's "abandoned." Go look at how many emails in your Gmail account are over 180 days old... Even though more than half of the House is co-sponsoring an ECPA reform bill, law enforcement folks are protesting it, because they like the easy access. The DOJ loves to go on fishing expeditions with ECPA, as does the SEC and the IRS. Wyden says it's time for real reform.

There's much more that can be done, some of which he refers to in his speech, but it would be nice if Congress finally realized just how truly dangerous the third party doctrine is to our privacy.

from the say-what-now? dept

A NY judge has ruled against Microsoft in a rather important case concerning the powers of the Justice Department to go fishing for information in other countries -- and what it means for privacy laws in those countries. As you may recall, back in April, we wrote about a magistrate judge first ruling that the DOJ could issue a warrant demanding email data that Microsoft held overseas, on servers in Dublin, Ireland. Microsoft challenged that, pointing out that you can't issue a warrant in another country. However, the magistrate judge said that this "warrant" wasn't really a "warrant" but a "hybrid warrant/subpoena." That is when the DOJ wanted it to be like a warrant, it was. When it wanted it to be like a subpoena, it was.

Microsoft fought back, noting that the distinction between a warrant and a subpoena is a rather important one. And you can't just say "hey, sure that's a warrant, but we'll pretend it's a subpoena." As Microsoft noted:

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

The Government's interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a "court order," but required a warrant to obtain a person's most sensitive and constitutionally protected information -- the contents of emails less than 6 months old.

The DOJ hit back earlier this month by basically saying, "yeah, whatever, let's pretend it's a subpoena and give us what we want already."

Overseas records must be disclosed domestically when a valid subpoena, order, or warrant compels their production. The disclosure of records under such circumstances has never been considered tantamount to a physical search under Fourth Amendment principles, and Microsoft is mistaken to argue that the SCA provides for an overseas search here. As there is no overseas search or seizure, Microsoft’s reliance on principles of extra-territoriality and comity falls wide of the mark.

Unfortunately, it appears that the judge just went with the DOJ's reasoning -- though, immediately stayed the ruling since Microsoft made it clear it plans to appeal. Judge Loretta Preska basically just upheld the magistrate judge's ruling that Microsoft could, in fact, be compelled to hand over data held overseas via a warrant under ECPA, the Electronic Communications and Privacy Act (which we've already noted has tremendous problems and needs to be reformed).

Beyond the problems this has for the 4th Amendment in the US, it's also going to create a mess in Europe, where they have much stricter data privacy rules, and where something like ECPA is clearly a problem. For the US to argue that it can make ECPA reach across the ocean into European servers is going to be a big problem -- especially at a time when Europeans are (rightfully) distrustful of the US government's ability to snoop on their data.

from the because-we're-the-us-gov't-dammit dept

Last month, we wrote about Microsoft challenging the DOJ's attempt to use the outdated Electronic Communications Privacy Act (ECPA) to go fishing for emails held overseas. As Microsoft rightly noted, a warrant does not apply overseas. A magistrate judge tried to dance around this, saying that a warrant under ECPA is really kinda like a subpoena. But Microsoft points out how insane that is:

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

Overseas records must be disclosed domestically when a valid subpoena, order, or warrant compels their production. The disclosure of records under such circumstances has never been considered tantamount to a physical search under Fourth Amendment principles, and Microsoft is mistaken to argue that the SCA provides for an overseas search here. As there is no overseas search or seizure, Microsoft’s reliance on principles of extra-territoriality and comity falls wide of the mark.

A bunch of tech and telco companies have all jumped into the case on Microsoft's side as well, noting that the DOJ's argument would almost certainly violate data privacy laws in other countries, not to mention piss off governments around the globe. The crux of the argument, as per usual with the DOJ, is that when it wants data, it will twist and twist and twist the laws to enable it to get access to as much data as possible, with as little scrutiny as possible. This is just one of many reasons why we need serious ECPA reform -- such that it actually respects the 4th Amendment. But, in this case, it would be nice to have a judge realize that even under such an outdated law, the DOJ's interpretation is simply out of line.

from the ecpa-reform-now dept

For quite some time we've talked about the importance of ECPA reform. ECPA -- the Electronic Communications Privacy Act -- is woefully outdated. Passed in the 1980s, when the internet was just a small network that connected a few universities, it has allowed law enforcement and other government officials to snoop on your email based on some very outdated definitions and assumptions. As we've discussed in the past, one very obvious example, is the idea that, under the law, emails stored on a server for over 180 days are considered "abandoned" and that there's no need to get a warrant to view those emails. Of course, that was back when people expected old emails to be either deleted or downloaded. No one predicted "cloud" computing with virtually unlimited storage.

For years now, there's been a major effort at ECPA reform, to actually make sure that law enforcement needs a warrant to view your emails. It has had strong support in Congress for some time, but the main folks fighting against it are the SEC and the IRS, who like the fact that they can search through your emails without a warrant. In fact, the SEC seems to revel in its ability to do some very questionable things, in part thanks to ECPA.

Earlier this week, the main ECPA reform bill in the House, sponsored by Reps. Kevin Yoder and Jared Polis, hit a new milestone: it currently has 218 co-sponsors, meaning that more than half of the House now has their name on the bill. And yet, the bill is still stalled out, because House leadership has been scared off by the SEC and IRS. Hopefully, the House will finally move forward on this bill.

And while Yoder notes in that article that the NSA revelations have actually helped give this bill momentum, it's important to note that this is separate from the NSA reform issue. ECPA reform is unrelated to the NSA stuff, but covers what other government agencies can do with your email. Both are important issues, but it would be great to finally get basic ECPA reform through. This is a fight that's been going on for over a decade, and with more than half the House supporting it, how much longer can Congressional leadership ignore it?

from the going-to-be-an-important-fight dept

Back in April, we wrote about a magistrate judge ruling that Microsoft had to comply with a warrant asking for data that was held on servers in Dublin. Microsoft argued, quite reasonably, that a US warrant doesn't apply outside of the US. Unfortunately, magistrate judge James Francis disagreed, saying that while it's true that traditional warrants only apply inside the US, this is different because it's "digital." He argued that because the issue was about information, rather than physical property, it could be considered more like a subpoena than a warrant. As we noted, Microsoft made it clear that it would challenge this ruling, and now it has done so, arguing that the ruling flies in the face of the law and the Constitution. This summary from Microsoft's filing is pretty clear on what an incredibly big deal this is, with the government basically seeking to get the best of a subpoena and a warrant without any of the protections and limits required of either:

The Magistrate Judge issued a warrant under the Electronic Communications Privacy Act ("ECPA")
that on its face, purports to authorize the Government to search any and all of Microsoft's facilities worldwide. Microsoft moved to vacate the warrant because the private email
communications the Government seeks are located in a Microsoft facility in Dublin, Ireland and
because Congress has not authorized the issuance of warrants that reach outside U.S. territory.
The Government cannot seek and a court cannot issue a warrant allowing federal agents to break
down the doors of Microsoft's Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad. To
end-run these points. the Government argues, and the Magistrate Judge held, that the warrant required by ECPA is not a "warrant" at all. They assert that Congress did not mean "warrant"
when using that term, but instead meant some previously unheard of "hybrid" between a warrant
and subpoena duces tecum. The Government takes the extraordinary position that by merely
serving such a warrant on any U.S.-based email provider, it has the right to obtain the private
emails of any subscriber, no matter where in the world the data may be located. and without the
knowledge or consent of the subscriber or the relevant foreign government where the data is
stored.

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth
Amendment the bedrock requirement that the Government must specify the place to be searched
with particularity, effectively amending the Constitution for searches of communications held
digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border
criminal investigations. If this is what Congress intended, it would have made its intent clear in
the statute. But the language and the logic of the statute, as well as its legislative history, show
that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that
warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

The Government's interpretation ignores the profound and well established differences
between a warrant and a subpoena. A warrant gives the Government the power to seize evidence
without notice or affording an opportunity to challenge the seizure in advance. But it requires a
specific description (supported by probable cause) of the thing to be seized and the place to be
searched and that place must be in the United States. A subpoena duces tecum, on the other
hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government
wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction
between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain
types of data with a subpoena or a "court order," but required a warrant to obtain a person's most
sensitive and constitutionally protected information -- the contents of emails less than 6 months
old.

Verizon has stepped in as well, pointing out that if the original ruling is allowed to stand, it could have significant negative impact on the ability of US businesses to get non-US users to trust them -- an increasingly important issue in light of the Snowden revelations.

The magistrate’s ruling, if left standing, could cost U.S. businesses billions of dollars in lost
revenue, undermine international agreements and understandings, and prompt foreign
governments to retaliate by forcing foreign affiliates of American companies to turn over the
content of customer data stored in the United States.

The recent revelations about U.S. intelligence practices have heightened foreign
sensitivities about the U.S. government’s access to data abroad, generated distrust of U.S.
companies by foreign officials and customers, and led to calls to cease doing business with U.S.
communications and cloud service providers. Studies have estimated that this distrust will result
in tens of billions of dollars in lost business over the next few years. The magistrate’s ruling, if
left standing, will dramatically increase the harm to American businesses. It would mean that
foreign customers’ communications and other stored data would be available to hundreds or
thousands of federal, state, and local law enforcement agencies, regardless of the laws of the
countries where the data is held. Foreign customers will respond by moving their business to
foreign companies without a presence in the United States.

If you hadn't figured it out by now, this case is going to have tremendously important ramifications for privacy around the globe.

from the weakest-'powerful'-senator dept

Senator Patrick Leahy is often considered one of the most powerful Senators. He's the most senior Senator, third in the presidential line of succession (after the VP and the Speaker of the House) and the head of the powerful Senate Judiciary Committee. He's often presented as a "friend" to both the technology and civil liberties communities -- even though many in both of those communities still view him skeptically for his all out support for dangerous copyright legislation in the PROTECT IP Act (PIPA), which would have seriously messed with the underlying DNS structure of the internet. Even so, on a variety of other issues, including NSA reform, ECPA reform and patent reform, he's often been seen as leading the charge.

But over and over again, it seems that charge is... to go nowhere.

Politico has a story about how last week was a disaster for the tech industry in Washington DC. For all the talk about how Silicon Valley has been flexing its lobbying power, patent reform was killed, a good NSA reform bill was replaced with a bad one (leading the tech industry to pull its support) and the fight for immigration reform went the way it normally does -- nowhere beyond people yelling at each other.

But what I found even more interesting is just how powerless the "powerful" Senator seems to be on so many of these issues. Leahy has been the leading Senate voice for ECPA reform (requiring a warrant to search your electronic data) for years -- and it has pretty widespread support. And yet, he's unable to get it to move forward because the the SEC and IRS want to be able to read emails without a warrant. Really?

Similarly, for over a decade, Leahy has been the point person on patent reform in the Senate, promising to finally reform the system to stop abusive patents. The bill he finally got through in 2011 did absolutely nothing after it was watered down and watered down and watered down some more. And this year, when it looked like there might finally be a bill with at least a little (not nearly enough) progress towards stifling abusive patent practices, he got completely shut down by the trial lawyers and Harry Reid.

And, now we're basically relying on Senator Leahy to fix the NSA reform package. He introduced the companion to the USA Freedom Act in the Senate, and many in the tech and civil liberties communities are hopeful that Leahy will stand firm in actually reforming the NSA. And while he's been saying all the right things about reforming the NSA, given his track record, you have to start to wonder: can this super powerful Senator actually get this done right?

Yes, getting anything done in Congress is a pretty difficult process these days (perhaps for good reason). But we keep hearing about how Senator Leahy is so powerful and such a friend to innovation and civil liberties. But over the past few years, it's been a lot of tough talk, and nothing ever seems to actually get done. It really begins to make you wonder if he's such a "friend" to these communities after all.

from the the-sec-doesn't-like-the-constitution dept

Back in December, we wrote about the effort to push for ECPA reform by noting that one of the main government agencies fighting against it was the SEC, which wanted the ability to snoop through your emails without getting a warrant. If you don't remember, ECPA is an excessively outdated law from 1986, whose definitions make no sense in the internet era (especially one with cloud computing). The key example often given is that emails on a server that are over 180 days old are considered "abandoned" and thus no warrant is needed to access them. That may have kind of made sense in an era when people downloaded all of their email, but now that nearly all email remains on servers somewhere it makes no sense at all. There are other problems with ECPA similar in nature (opened vs. unopened emails are treated differently, for example), but it's clear the law is outdated.

Two stories popped up last week that raise serious concerns about the way that the SEC tramples on the Constitution. The first is that in a hearing, SEC boss Mary Jo White was asked why the SEC is so resistant to ECPA reform and what's wrong with getting a warrant, and more or less admitted that it's standard practice for the SEC to not get a warrant, but to rely on loopholes in ECPA to get access to emails. Prior to this, many had assumed that this was just a desire of the SEC, not that they were regularly doing it. But White's answer makes it clear that the SEC views this practice -- which seems like it should be a clear 4th Amendment violations -- as standard operating procedure.

While she insists that the privacy issues aren't a huge deal, because the SEC tries to "give notice" to the subscriber whose email is being accessed, that still doesn't explain why paper documents require a warrant, and yet the SEC doesn't bother with the much higher standard (including judicial review) of a warrant for electronic documents.

Meanwhile, concerning a separate issue, Mark Cuban and his lawyer published an op-ed in the Wall Street Journal last week, discussing the SEC's totally bogus case against him for insider trading, which got tossed out by a lawyer. The key issue they discussed is how the SEC had exculpatory evidence that proved Cuban had done no wrong from back in 2004 -- and then did everything possible to avoid turning over that evidence, as is normally required in legal proceedings.

In a criminal trial, the federal government has long been obliged to promptly turn over to the defense any evidence that could show that the accused did not commit the offense of which he is accused. The Brady rule (announced in the 1963 Supreme Court case, Brady v. Maryland), prevents one-sided prosecutions in which the defendant is kept in the dark about information that might show that he is innocent.

The government's job as criminal prosecutor is not to obtain convictions, but "to do justice," according to the traditional legal maxim. It should be required to follow the Brady rule in civil trials as well. But the SEC does not, even when it accuses a citizen of fraud. Had the agency complied with this simple rule in its recent insider-trading case against one of us, Mark Cuban, it is unlikely that a lawsuit would even have been filed, let alone go to trial.

At issue were notes the SEC had concerning the details of Cuban's conversation with the CEO of Mamma.com, the search engine Cuban had invested in (and then sold all his shares in), which showed that, contrary to the SEC's claims in the case against him, Cuban had never made certain promises. When Cuban and his lawyer asked for these notes, the SEC resisted.

The SEC, however, resisted the disclosure of these notes for the next three years. Even up until the time Mr. Cuban took the stand, the SEC continued to fight to keep the notes from being shown to the jury by asking the judge to exclude them from evidence. Fortunately, the judge disagreed and the jury ultimately cleared Mr. Cuban of a charge of insider trading.

So, reading both of these stories, we see that the SEC feels that it is free to ignore both the 4th Amendment (against search and seizure without a warrant) and the 14th Amendment (concerning due process). Don't we think that agencies of the federal government should be required to follow the Constitution -- especially basic concepts like protecting the privacy of individuals and giving them basic due process? And, for those of you who think this is no big deal, because it's the SEC, and the SEC just goes after big bad bankers and the like, recognize that the agency following right behind the SEC in fighting ECPA reform is the IRS. Do you feel it's similarly okay for the IRS to search your emails and electronic records without a warrant while also believing that it need not share any of the exculpatory evidence it finds, proving your innocence, while bringing a case against you for violating the law?

Oh, and just for the hell of it, let's take this a step further. Just a few weeks ago, the NY Times reported on an increasingly popular tactic of law enforcement to effectively use the SEC to trick people into effectively implicating themselves in criminal cases. It tells the story of a low-level guy who worked at a law firm, and was asked by the SEC to "help out" with an investigation. Only at the last minute, was it mentioned that someone from the district attorney's office would be present -- and at no time was there any indication that the guy was being investigated for criminal behavior. But thanks to the SEC smokescreen, the guy was indicted, and he's still not sure why.

So, now it's an SEC that ignores the Constitution, searches emails without a warrant, hides exculpatory evidence and surreptitiously uses these "investigations" to help build out criminal charges against people on a highly questionable basis. See the problem, yet?

The folks over at VanishingRights.com are fighting to reform ECPA, which would at least solve half of the problem above. Right now, the SEC and the IRS remain the main government agencies aligned against such reform. It's time to tell those agencies that they need to obey the Constitution too.

from the and-now-we-wait... dept

The We the People petition to reform the ECPA in order to give email the same Fourth Amendment protection that snail mail enjoys narrowly passed the 100K signature threshold needed to (theoretically) prompt a response from the administration.

The last-minute push to hit the mark was impressive. Reminded by the post here yesterday that I hadn't actually signed the petition yet, I went and remedied that around 5 pm (CST) yesterday evening. At that point, it looked as though the petition would be an also-ran, having only gathered about 78,000 signatures with just a few hours remaining.

One would hope this one does prompt a serious response. The only reason this law hasn't been updated is because treating email 180 days old or older as "abandoned" cuts down on the requirements law enforcement and investigative agencies need to meet to access it. These entities obviously benefit heavily from the clearly outdated law and have no interest in seeing this convenient loophole in Fourth Amendment protection closed. The administration has long defended our nation's intelligence and investigative agencies, so it may have little interest in making their jobs "harder." On the other hand, this support has seen a marked decline over the past few weeks, and there are indications that some in the White House really do want to fix this, so there may be some hope yet.

On the plus side, The Hill reports that the DOJ has already weighed in on this topic.

At a House hearing in March, Elana Tyrangiel, the acting assistant attorney general for the Justice Department's Office of Legal Policy, agreed that updating ECPA has "considerable merit."

"We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old," she said "Similarly, it makes sense that the statute not accord lesser protection to opened emails than it gives to emails that are unopened."

This step in the right direction was unfortunately tempered by a massive step backward.

But she urged lawmakers to exempt civil regulatory investigations from the warrant requirement. She explained that regulators investigate conduct that is unlawful, but not necessarily criminal. She argued that because regulators often do not have access to the warrant power, the requirement would impede critical government investigations.

This "exemption" basically defeats the entire purpose of ECPA reform, and in some ways, makes things worse. It takes a little loophole in the law, which came about because of changes in technology, then widens it and puts a giant stamp of approval on it. It goes from a little loophole that violates the 4th Amendment to a big official law that violates the 4th Amendment.

On top of that, frankly, I'm of the opinion that government investigations could use a few more impediments. And it's not as if regulators can't compel production of email through subpoenas. Just because they're not pursuing criminal charges doesn't mean they're completely out of options. When you're looking to close a loophole, it's hardly beneficial to create a giant open door in its place. Civil regulatory agencies should treat the email it seeks like it does any other document. If it can't just seize these because an arbitrary amount of time has passed, then it shouldn't be able to do so with email. The rules need to be standardized, not undermined by exceptions and justifications.